This blog is authored by Avi Sagiv, Principal Program Manager, Windows Defender ATP.

Security is top of mind for all our customers. At Microsoft, we’re building a platform that looks holistically across all the critical end-points of today’s cloud and mobile world. Our platform investments across identity, applications, data, devices, and infrastructure take a comprehensive approach that is inclusive of the technologies our customers are using.

As we continue to invest in delivering enhanced security to your endpoints, we wanted to give you an update on what’s new in the Windows Defender ATP Creators Update preview.

We’ve been experiencing great momentum – we now help protect a large number of customers on nearly 2 million devices worldwide. Protecting so many customers brings greater responsibility: we’re diligently tracking advances in sophisticated attacks, and listening to feedback from our Windows Defender ATP customers. We leverage our cloud service to continuously introduce new features, and are adding major enhancements to the OS-integrated sensor technologies in the Windows Creators Update.

We continue to upgrade our detections of ransomware and other advanced attacks, applying our behavioral and machine-learning detection library to counter changing attacks trends.
Our historical detection capability ensures new detection rules apply to up to six months of stored data to detect attacks that previously went unnoticed. Customers can also add customized detection rules or IOCs to augment the detection dictionary.

Investigation

Customers asked us for a single pane of glass across the entire Windows security stack. Windows Defender Antivirus detections and Device Guard blocks are the first to surface in the Windows Defender ATP portal interleaved with Windows Defender ATP detections. The new user entity adds identity as a pivot, providing insight into actions, relationships, and alerts that span machines and allow us to track attackers moving laterally across the network.

Our alert page now includes a new process tree visualization that aggregates multiple detections and related events into a single view that helps security teams reduce the time to resolve cases by providing the information required to understand and resolve incidents without leaving the alert page.

SecOps can hunt for evidence of attacks, such as file names or hashes, IP addresses or URLs, behaviors, machines, or users. They can do this immediately by searching the organization’s cloud inventory, across all machines – and going back up to 6 months in time – even if machines are offline, have been reimaged, or no longer exist.

Response

When detecting an attack, security teams can now take immediate action: isolate machines, ban files from the network, kill and quarantine running processes or files, or retrieve an investigation package from a machine to provide forensic evidence – with a click of a button. Because while detecting advanced attacks is important – shutting them down is even more so.

Figure 3 Machine level response actions

Come experience these features in the the Creators Update trial – and tell us what you liked – and what you’d like to see in the future. Join us for free.